About
When working with firewalls such as firewalld, the unexpected can happen and you can be locked out of your vps.
Many VPS provider provides a rescue mode that permits to get access back to your disk called a rescue mode.
This how-to shows you how to disable your firewall but you may use it to perform any other maintenance operations.
Steps
Reboot your VPS in rescue mode
To reboot your VPS in rescue mode, you should go to the administration website of your VPS. They would have then an action in order to reboot your VPS in rescue mode.
The rescue mode is just:
- a new machine that boots on a minimal disk with a minimal OS
- and attach your disk
You get then access to your file and disk. You can perform administrative task such as:
- deactivate your firewall
- backup or data recovery
- update your network configuration files
- etc.
They should send you via email or via their dashboard the root and password credentials of the new virtual machine created.
Login to the rescue VPS and check the disks
Once you have login to your machine, the prompt should indicate you that it's in a rescue mode.
[RESCUE] root@vps-427a1b7c:/ $
You can list the disk partitions with the lsblk command.
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2.5G 0 disk
└─sda1 8:1 0 2.5G 0 part /
sdb 8:16 0 80G 0 disk
└─sdb1 8:17 0 80G 0 part
The above output shows two disks device:
- sda1 of 2.5 Gb mounted at the root, the new VPS
- sdb1 of 80 Gb, not mounted, the disk of your machine that contains all your data.
In a non-rescue mode, you would see only your disk.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
└─sda1 8:1 0 80G 0 part /
Mount your disk to access your data
To get access to the data on your disk, you need to mount it.
- Create a mount point if necessary (ie directory where your data will be available)
# /mnt may be already created
mkdir /mnt
- Mount your disk into this directory
mount /dev/sdb1 /mnt
- Check that you have access to your data
- Modify the root of the file system. It's not always needed but all process and file system will think logically that the root of the file system / is now /mnt.
chroot /mnt
At this stage, you have access to your disk, you can search file
- by name
find . -name myfile.myextension
- or by content with a pattern
grep -rnw . -e 'how to disable ?'
Disable your firewall service
A service is just a symbolic link in a directory that points to a file:
- located on the file system
- that is read during the system boot.
To disable a service, you just:
- delete this symlink
- or recreate a symlink to devnull (meaning that the file does not exists) This technic is also called masking the service
For systemd, the location of this service link is /etc/systemd/system/.
For instance, to disable firewalld, you would create the symlink with the following command
ln -s /dev/null /etc/systemd/system/firewalld.service
You could also just check and modify the configuration of your firewall. For firewalld, the data are stored in the zones located at
/etc/firewalld/zones
And there is also a backup with an old suffix. For instance, for a public zone.
/etc/firewalld/zones/public.xml.old
Below is an example of a bad public zone configuration that got mess up by firewall-cmd because the ipset nl was deleted before the rule.
<?xml version="1.0" encoding="utf-8"?>
<zone>
<rule family="ipv4">
<source ipset="nl" invert="True"/>
<service name="ssh"/>
<drop/>
</rule>
</zone>
Reboot
The reboot should happen in the dashboard of your VPS provider because it needs to recreate a VPS with your disk.
Correct your configuration and unmask your service
Example:
- with systemd
systemctl unmask firewalld
systemctl start firewalld
- or directly from the file system
unlink /etc/systemd/system/firewalld.service
Documentation / Reference
- Big thanks to vmbs for the pointer